RE: SPI in Delete Payload of IKE / IKEv2

["Yoav Nir" <ynir@CheckPoint.com>]

Hi,

You send a Delete-SA to stop the peer from using that SA.  The IPsec SA is
outbound for the peer, but inbound for you.

If A and B negotiate an IPsec SA, A sends ESP packets with SPI 17, and B
sends packets with SPI 49.  If A wants this traffic to stop, he sends B a
Delete payload with the SPI field 49.

To stop transmissions on SPI 17, A needs not send out anything.  It is
enough that he stops using it.  It might have been nice to also be able to
tell peer B that no more traffic will come with SPI 17, so that peer B has
an easier time dropping fake packets, but this is not in the spec.

Hope this helps.

Yoav Nir

-----Original Message-----
From: owner-ipsec@lists.tislabs.com [mailto:owner-ipsec@lists.tislabs.com]On
Behalf Of Atsuhiro Tsuji
Sent: Thursday, March 06, 2003 2:51 PM
To: ipsec@lists.tislabs.com
Subject: SPI in Delete Payload of IKE / IKEv2


Hi, all,

I'd like to discuss about SPI value in the Delete Payload
of IKE / IKEv2.

It is the first time to send a question to the mailing list,
so if my behavior/expression is not appropriate,
please kindly point it out to me.


As you know, there is a field which contains SPIs in Delete Payload
of IKE / IKEv2. But I cannot find the direction of the SA.
So, I'm confused I have to delete the INBOUND SA or OUTBOUND SA,
especially for IPsec-SA.

Is there any rule for this?
I wonder we had better add a new field which indicates the direction.

If you've already discussed this issue, please tell me the pointer
for them.

I'm looking forward to your joining this discussion.

Thank you in advance.

-----
 Atsuhiro Tsuji [tsuji.atsuhiro@jp.panasonic.com]